Breaking down the CodeMash Capture the Flag

Last year at Codemash they had the first Capture the Flag (CTF) and it was very successful. They decided to bring it back for 2018 and the format was changed a bit. The official site has all of the rules and information, but the basics of it were that a single puzzle was released at midnight in the 2 weeks leading up to the conference. This allowed people to solve them at a more leisurely pace and not have to cram them in during the confernece. Also the puzzles this year are a bit easier (but still challenging), which makes them more accessible to the entire audience of codemash.

Now that the CTF is over and the winner has been crowned, I thought I would share my solutions, so others can learn and share how they solved the problems.

I created a GitHub repo for any of the custom code I wrote for the CTF.

  1. Do you like my Style?
  2. Hobo Robo
  3. 1337 Riddler
  4. Super Eyesight
  5. Bools for Fools
  6. Withcraft
  7. Happy Eyes
  8. Lock
  9. Meow
  10. Chest
  11. Bacon
  12. On-site Challenge
  13. Alice
  14. Security Regulations
  15. P.A.L.M. Login

Codemash CTF - 15 - P.A.L.M. Login

Hint

15 - P.A.L.M. Login ™
Folks at HOBO Authentication Systems implemented a new authentication system named P.A.L.M. Login

Prove that you can break it and find a pair of username and passcode to log on.

Login

Approach

The login page contains a button and two inputs. When you put in text and hit the login button you get the text of nope.

Looking at the javascript for the button click takes us to a function that does the following:

function checkEntries() {
    var u = document.getElementById('puser').value;
    var p = document.getElementById('ppass').value;
    var used = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
    var ok = false;
    if (u === 'cavs') {
        if (p > 0 && p.length == 10) {
            ok = true;
            for (i = 1; i <= 10; i++) {
                var digit = p.charAt(i - 1);
                var part = p.substring(0, i);
                if (used[digit] != 0 || part % i != 0) {
                    ok = false
                }
                if (used[digit] == 0) {
                    used[digit] = 1
                }
            }
        }
    }
    if (ok) {
        document.location.href = 'palm_' + u + '_' + p + '.html'
    } else {
        alert('nope')
    }
}

Looking at the code, the username needs to be cavs and the password is a 10 digit number.

I started writing a brute force algorithm and trying to figure out the number that way, but I decided to see what I could find about the properties of the number.

It is a 10 digit number, where every digit is only used once and the first N digits must be divisible by N.

Plugging those requirements into google yield lots of results.

Our number is 3816547290. Put that in the form and it takes you a page named

palm_cavs_3816547290.html

With the text of:

Congrats!
cm18-zbIc-O4Zh-gmxl-r5J6

Return to the full breakdown of the Codemash CTF

Codemash CTF - 14 - Security Regulations

Hint

14 - Security Regulations
Due to some new privacy regulations this flag had to be shred. The classification will be secret or topsecret depending on the content.

____-____-____-____-____

Left over shred inside the paper shredder

Approach

Following the link gives you shred text:

Shred 1: 
Note: the other shreds are classified as «topsecret»!

cm18

Since the URL has a number in it, maybe we could change the 1 to a 2. Doing that results in shred text of:

Shred 2: 
Note: the contents on this shred were sanitized!

XXXX-XXXX

The URL also contains the word secret and there was mention in the clue of secret and topsecret, so if we change the URL to topsecret_challenge_shred2.html, we get the following text:

Shred 2

bWh0-VIkC

Uupdate the URL for #3 and we get the text:

Shred 3

cMf4-72jY

Combine them together for the flag of

cm18-bWh0-VIkC-cMf4-72jY

Return to the full breakdown of the Codemash CTF

Codemash CTF - 13 - Alice

Hint

13 - Alice
Follow the white rabbit.

With a hint image of:

white rabbit

Approach

Looking at the image, it is really big for a jpg. Also looking at the file in a text editor, you see mentions of other files:

Looking more deeply at the file, there appears to be a zip file after all of the bytes in the JPG. I extracted the bytes for the zip file using BE.HexEditor and copied them to a new file.

After extracting the zip you are given three files.

Opening each of those files in a text editor finds that there is exif data giving you hints:

In forest:

This image has a protected secret.

In meadow:

This meadow is all dried out. Check the water first.

In water:

steghide was here. With an empty passwor

I used an online steghide tool to extract the data.

Water yields the result:

You search the whole place but you can't find anything.


...


Now get out before you get flushed down.

Not much helpful in there, but Meadow yields the result:

So you think a mole can speak?!


...


Lucky you, this one can!

He's name is Fred and he tells you the passphrase:

The-Mad-Hatter

Forest appears to be password protected, so we take the password from meadow and apply it.

This yields the flag

Congratulations here is the flag!

cm18-xZl2-eHC5-axW3-ZkZG

Return to the full breakdown of the Codemash CTF

Codemash CTF - 12 - On-site Challenge

Hint

12 - On-site Challenge
The flag for this challenge can only be found onsite at the conference, in the location seen on top of the backside of the elephant, in this picture.

When you arrive at CodeMash, find the code. Only attendees of CodeMash are eligible to win this competition, so don't share the code with anyone!

Approach

I have to admit, I spent more time on this one than I should have. I looked all around the elephant. If you look more closely at the picture, there is a reflection. Turning around I saw the flag (albeit with some clues from others):

Return to the full breakdown of the Codemash CTF

View Archive (89 posts)